Menu

Evaluate Cloud Service Providers

Verification against Criteria

International Organization for Standardization/International Electrotechnical Commission

ISO 27017 was built from ISO 27002, adding 7 controls related to cloud services. Although, not a requirement to follow this standard in some parts of the world, following this standard can help address a wide swath of data protection and privacy standards from other nations such as GDPR. The ISO standard has a world-wide acceptance and provide a excellent framework for developing cloud services.

Payment Card Industry Data Security Standard

PCI is a requirement for organizations that want to accept cards for payment. It includes 12 requirements, but the cloud is only referenced once and refers to shared hosting requirements summarized as:

  • Ensure that a customer’s processes can only access their data environment.
  • Restrict customer access and privileges to their data environment.
  • Enable logging and audit trails that are unique to each environment, consistent with requirement 10.
  • Provide processes to support forensic investigations.

System/subsystem Product Certifications

Common Criteria

Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use.

FIPS 140-2

Businesses wanting to do business with the U.S. Government need to be FIPS 140-2 compliant. From NIST:

This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.

FIPS requires that encryption, hashing, and message authentications use algorithms from an approved list.

Cloud Concepts, Architecture, and Design

  1. Understand Cloud Computing Concepts
  2. Describe Cloud Reference Architecture
  3. Understand Security Concepts Relevant to Cloud Computing
  4. Understand Design Principles of Secure Cloud Computing
  5. Evaluate Cloud Service Providers

CCSP

  1. Cloud Concepts, Architecture, and Design
  2. Cloud Data Security
  3. Cloud Platform and Infrastructure Security
  4. Cloud Application Security
  5. Cloud Security Operations
  6. Legal, Risk, and Compliance